8 year old bug in Linux discovered

[DigeratiPrime]

Linux developers have issued a critical update for the open-source OS after researchers uncovered a vulnerability in its kernel that puts most versions built in the past eight years at risk of complete takeover.

http://www.theregister.co.uk/2009/08/14/critical_linux_bug/

time to patch the kernels

[PC_LOAD_LETTER]

thats obviously a fake article. everyone knows that it is impossible for an article to be published on the register if it doesnt take at least 1 cheapshot at MS.

</sarcasm>

no but seriously now

this is what I think of an 8 year old security being found in linux.

[bj-kaiser]

funny I don't see anyone mentioning the 2 year old bug in Office Web Components.

http://www.h-online.com/security/Microsoft...e--/news/113994

that was a hole known since 2 years.

whereas your 8 year vulnerability seems to have been brought to the attention of the kernel team around july.

not defending anyone, things like this can happen in projects of that size.

I'm just saying even if you are a fan of MS you should sweep before your own door before you pull jokes about what MS (now) calls concurrents.

oh and BTW, MS seems to have a history of their own with problems from the past creeping up on them:

http://news.softpedia.com/news/Microsoft-P...SP3-97742.shtml

http://www.networkworld.com/news/2007/1126...nerability.html

I dont remember a big fuss about those either.

Edited August 16, 2009 by bj-kaiser

[DigeratiPrime]

I know Microsoft has been guilty of similiar before, these things can happen to anyone. Those other bugs aren't as serious though, this is a kernel exploit affecting basically every linux distro for the last 8 years, the ones you pointed out are for Office Web ActiveX, unsigned SMB, and WPAD with .com domains. The Register article also mentioned another recent discovery affecting SELinux, my point is that any software can be vulnerable to known and unknown exploits.

[CoffeeFiend]

not defending anyone, things like this can happen in projects of that size.

I'm just saying even if you are a fan of MS you should sweep before your own door before you pull jokes about what MS (now) calls concurrents.

An awful large bunch of obnoxious Linux zealots keep repeating and telling everyone Windows is insecure though. And that it's also more secure because everyone can look at the source code, and that this "many eyeballs" way makes these things never happen. And that with things like SELinux, they're 100% protected against everything. Whereas in reality, it's a VERY different picture.

If you count from around Y2K or so (starting from the Linux kernel 2.2.x and Win2k Server to Win2008), we get very similar pictures:

Linux: 280 advisories, 475 vulnerabilities with 7% unpatched (worst being rated "less critical")

Win: 472 advisories, 580 vulnerabilities with 7% unpatched (worst being rated "less critical")

It only looks somewhat favorable to Linux in this case because basically no one really looked at Linux back when Win2k was out, and there are basically nothing about it (2.2.x: 8 advisories, 5 vulnerabilities) whereas the new kernels which a lot more people use and gets a lot more attention (2.6.x: 187 advisories, 353 vulnerabilities)

If you look from 2003-now (a time frame where more eyes were laid on Linux, due to having more users), we get this:

Linux 2.6.x: 187 advisories, 353 vulnerabilities, 5.8% unpatched (worst being rated "less critical") -- spanning over 5 years and 8 months.

Win2k3+: 242 advisories, 341 vulnerabilities, 5.3% unpatched (worst being rated "less critical") -- spanning over 6 years and 4 months (2/3 of a year extra, or 12% longer)

If you were to adjust the numbers for an identical time span (or remove all the bugs discovered in the first 8 months Win2003 was out), then Linux looks even worse.

And here, we're merely comparing Linux' kernel flaws against an entire OS and all of its components combined. That's not even remotely fair!

If you were to take the current version of most common commercial server-oriented Linux distro (that would be RHEL 5), compared to the latest version of Windows server (the best/latest the two biggest companies have to offer), we get these:

RHEL 5: 273 Secunia advisories, 829 Vulnerabilities, 0 unpatched, been out for 2 years, 5 months

Win 2008: 40 Secunia advisories, 82 Vulnerabilities, 0 unpatched, been out for 1 year, 6 1/2 months

Yes, RHEL has been around for 50% longer, but even if you boost Win 2008's numbers up by 50%, we're *nowhere near* RHEL 5's numbers. 600% more advisories and 1000% more vulnerabilities in 50% longer?

Simple comparison (I'm not going to manually compare 1000's of bugs spanning over several years, sorry), but I think it makes a point regardless. It hardly looks like the perfect, 100% bulletproof, inpenetrable fort knox they make it out to be now, doesn't it? That doesn't prevent them from laughing "M$ Windoze is insecure! LOL BSOD!" all the time. That very much explains PC_LOAD_LETTER's point.

And if this wasn't MSFN, there would be people calling me a paid shill or astroturfer within mere seconds of posting this. As if Bill himself personally hands a fat cheque to everyone who likes Windows and ever said so on the internet. And if ever anything has ever not worked on Linux then it's either my fault for being too stupid (including when drivers don't exist), that it should STFU and fix it myself and submit a patch (yeah, exactly what the average end user wants!), or because I've been too lazy to try these other 52 other distros, or whatever other nonsense. Only to tell me afterwards that the GIMP is a perfectly good replacement for Photoshop CS4, evolution for Outlook, OOo for MS Office and so on.

[darrelljon]

The question really is "do many eyes make all bugs shallow?" - or why would closed source make bugs more identifiable? Does Linus' Law still stand or has it been undermined? "It just does, look at these statistics" isn't a good enough answer given the manipulability of selective statistics. It would be interesting to see if open-source OpenBSD suffers a comparable level of bugs?

Edited August 22, 2009 by darrelljon

[bj-kaiser]

OpenBSD prides themselves in this:

"Only two remote holes in the default install, in a heck of a long time!" (to quote OpenBSD.org)

I did a quick stab with google trying to find the default package/application setup, but I didnt get lucky. However, I didnt spend much time on it.

[DigeratiPrime]

Just stating the obvious, BSD and Linux are completely different. The only similarity might be licensing.

[darrelljon]

Just stating the obvious, BSD and Linux are completely different. The only similarity might be licensing.

The point about the vulnerability of open-source software to bugs is the same.

[DigeratiPrime]

Just stating the obvious, BSD and Linux are completely different. The only similarity might be licensing.

The point about the vulnerability of open-source software to bugs is the same.

Thats true, however it was sort of a red herring.

[darrelljon]

Just stating the obvious, BSD and Linux are completely different. The only similarity might be licensing.

The point about the vulnerability of open-source software to bugs is the same.

Thats true, however it was sort of a red herring.

As deliberate distractions go, I'd say the news of an 8 year-old bug discovered in the Linux kernel was more of a red herring to distract from Linus' Law.

[DigeratiPrime]

Just stating the obvious, BSD and Linux are completely different. The only similarity might be licensing.

The point about the vulnerability of open-source software to bugs is the same.

Thats true, however it was sort of a red herring.

As deliberate distractions go, I'd say the news of an 8 year-old bug discovered in the Linux kernel was more of a red herring to distract from Linus' Law.

I think you're refering to "Linus' Law according to Eric S. Raymond" which was referred to ealier. I don't think the news is a distraction rather a proof that the idea of such law is invalid.

[MHz]

I think you're refering to "Linus' Law according to Eric S. Raymond" which was referred to ealier. I don't think the news is a distraction rather a proof that the idea of such law is invalid.

In the news, it is stated that researchers found the bug mentioned, Right? Linus' Law has been proved as correct as another set of eyeballs made yet another bug shallow (discovered and to be fixed).

To invalidate the Linus' Law, you need to prove that undiscovered bugs exist and are not shallow. How can you make that absolute claim without checking the source code and finding the bugs, and if found, then you are just confirming the law as valid with your own eyeballs.

[DigeratiPrime]

To invalidate the Linus' Law, you need to prove that undiscovered bugs exist and are not shallow. How can you make that absolute claim without checking the source code and finding the bugs, and if found, then you are just confirming the law as valid with your own eyeballs.

Yup so we have a Catch-22. I think 'time' is an important thing to consider though when talking about security. 8 years means it was either overlooked or ignored for 8 years; vulnerable for 8 years. Then again if a tree falls in the woods... I just don't like that people call some idea a law and pretend that in itself makes it true, it's not a good premise.